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SYSTEM AND METHOD OF BOOTSTRAPPING A TEMPORARY PUBLIC rKEY 
INFRASTRUCTURE FROM A CELLULAR TELECOMMUNICATION 
AUTHENTICATION AND BILLING INFRASTRUCTURE 

TECHNICAL FIELD 

The invention relates to a system and method ofbootstrapping a public -key infrastnjctme to enable 
secure payment of goods and services using a mobile terminal. Mwe particularly, the invention is a system 
and method in which subscnbeis of a cellular telecommunication system can buy goods and services from 
sellers and arrange for payment di rough the subscriber's tel^hone bill using a mobile temiinal which 
ensures that errors and fiaud do not take place relating to the payment 

BACKGROUND ART 

It has been common for buyers to pay for goods and services using credit and dd>it cards. The use 
of credit cards has eliminated tibe need to cany large amounts of cash in order to pay for these goods and 
services. Further* the use of a credit card has eliminated tiie need for car rental agencies and hotels to 
require large deposits m Older to assure return ofvefaicles<»' to resenreroosns. Thus, the use of credit cards 
has fecilitated tbt transacting of business and thus provides a significant convenience to the buyer. 
However, credit cards have also facilitated the occurrence of fiaud and errors in which the customer is 
double bDled for the same item or billed the incorrect amount. 

With the expIosicHi in Internet access and usage, an iiKreasing volume of business is occurring 
between individuals and firms, who have never seen each other, let aJcHie e ngaged in any prior business 
transactioiis. Currently, a typical Internet user would have a browser installed in his local computer or 
server such as Internet Explorer™ or Netscape™. Using this browser, the user would access an hatemet 
service provider, such as America-On-Line (AOL™X via a modem over the local public switched 
telq>hQne network (PSTN). Once logged onto the Internet server, the user may utilize one of the many 
seardi engines, such as Yahoo*™ or Lycos™, to specify search temis. The user may also use a wd) 
crawler, spider or robot to atternpt to find a product, service or information desired. The search engine or 
web crawler would then respond with a list of web sites ^ch matched the seardi teims the user provided. 
The user would then log (Rito a web site and view the pnoducts or services available for sale. If the user 
decides to buy the item from the web site, the firm operating the web site would again firequently request a 
credit card number be entered by the user in order to pay f or the product or service. Once the credit card 
charge is approved, the operator of the web site wiD then typically ship the item to the user. In the case 
where the item ordered is digital in format, such as software, graphics, text, video, or music, th e item 
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ordered maybe downloaded into the usei=s PC, server, lap iop, palm computer or other processor -based 
system. 

Wilh the advent of cellular phones with and without wireless access protocol (WAP), a user may 
also Asurf® the biteraet and order goods and seivices directly through the WAP-capable phone w a 
processor-based system connected to the cellular phone in a similar manner as that used with a PC. Thus, a 
user may order goods and services from anywhere with a cellular phone, satellite phone, or ot her type of 
mobile statiwi. Therefore, a person could be sitting in the middle of a remote area, many miles away from 
another human being, let alone a telephone line, and order a video game from a web site on the oAer side 
of the planet and download it into his pabn computer connected to a celhilar or a standalone WAP or 
HTML (Hypertext Maikup Language) capable jAone and play the game oa the spoL 

However, the user or consumer may not know ti*o is operating the web site and may have a 
legitimate fear of supplying a credit card number over the Internet to a stranger who may or may not 
deliver the desired jwoduct. Fuiftcr, the user may be concerned Aat the agreed upon price wiU not be the 
price actually chaiged to his credit card even when Ae buyer is d ealing direcfly in a face to face transaction 
with the scUer. In addition. Acre is also the possibility even in a face to face transaction that the buyer may 
be double billed for the same item. Also, in an Litemet transaction there is no guarantee tha tthegoodswill 
be delivered if the web site opmior is less than honest 

Credit caid MHX^anies have attempted to resolve Ac issues related to double billing or billing Ae 
incoirect amount by providing dispute resohition services in which a customer ma y chaUenge a chaiged 
amount and the credit card conq)any will launch an investigation. However, such an investigation may 
take a long time and the buyer is not guaranteed of a satisfecloiy resolution. In Ae case of fraud due to a 
stolen credit caid, the credit csad con^y will nomaally limit liability if the card is promptly rq)orted as 
stolen. In Ae case of a d^it card, Ae bank may not be required to limit liability in case of loss or Aeit 

Other roeAods utflizcd to prevent fraud and enror in com mercial transactioiis has been th^ 
use of digital signatures that may not be repudiated. In public k^f systems, an entity called Ae certificatiai 
auAQrity(CA)perfoimstwocentral fractions: issuanceandnwocation of certificate Acertificat eisused 
to connect a name or an auAorization, such as pemiission to make purchases, to a public signature 
verification key. The certificate is signed by Ae CA. To verify Ae certificate an auAentic copy of CA's 
public signature verification key is required. For example, assuming a person or entity has the public key 
of a certain CA (CAI). This person or entity can verify certificates issued by a certain CA (CA2), only if 
CA2's public key has been certified by CA 1 . This type of cross -certification of CAs is referred to as a 
"public key infiastruclure" (PKI). Thus, in order for digital signatures to have widespread usage such 
digital signatures require Ae presence of a global PKI which is difficult to develop since it requires 
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ccmtracts and agreements between a large number of parties. Attempts to create such a global PKl system 
have so far met with faihirc. Public key certificates and cross certification are discussed in farther detail in 
Section 13.4.2 "public key certificates" and Section 13.6. 2 Trust models invoWing multiple certification 
authorities" of Handbook of Applied Cryptography by A. J. Menezes et al.. CRC Press 1997. ISBN 0 - 
8493-8523-7, which are incoiporated herein by reference. 

Therefore, what is needed are a system and method whi ch allows a user or c<»smner to pay for 
goods and services while ensuring that an hacker or criminal may not listen in or tap into a payment 
transaction between a legitimate buyer and seller and later use this knowledge to make purchases which are 
charged to the legitimate user. This system and method should further not allow the legitimate user from 
repudiating legitimate charges he has made. This system and method should also prevent a seller fitmi 
forging payment transactions in the name of a legitimate consumer. This system and method should also 
not require the establishment of a new infiastnicture in order to operate properiy. 

DISCLOSURE OF INVENTION 

An eml)odiroent of the present invention provides a method of ordering, paying for and delivering 
goods and services using a mobile station. This method starts by authenticating the mobile statim is 
pennitted access to a telecom infrastructure. It then accesses a gateway by the mobile station and transnaits 
an identification code for the mobile station t o the gateway. This method then requests a digital certificate 
by the mobile station from the gateway used for ordering and paying for a product or service from a seller 
using the certificate. The method then verifies the identity of the mobile station b y the gateway accessing 
an authentication center and comparing variables computed by the mobile station and variables conq^uted 
by the gateway. It then verifies the legitimacy of the gateway by comparing the variables computed by the 
gateway with the varia bles computed by the mobile statioiL The metibod delivers a digital certificate to the 
mobile stati<Mi by the gateway vAxes^ tfie identity of the mobile station and flie gateway have been verified. 
It then requests a product or service from a seller and transm its a digital signature^ accompanied by the 
digital certificate for the signature verification key, as payment to the seller. 

Further, an embodiment of the present invention creates a system and computer program fat 
ordering, paying for and delivering goods and services using a mobile staticxi. This system and computer 
program uses a GSM authentication module to verify that the mobile station belongs to a user that can be 
billed. It also has a mobile station certificate acquisition module to request a dig ital certificate for the 
mobfle station from a gateway and verify that the gateway is authorized to issue the digital certificate by 
comparing variables computed by the gateway and the mobile station. The system and method also has a 
gateway certificate generation module to verify that the mobile station is authorized. This module also 
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transmits an intemationa) mobile subscriber identifier received from the mobile statiwi to an authentication 
center, and receives infonnation using which it can verify the authenticity of the mobile station by means 
of a challenge-response protocol. Once veriBed, this module generates and issues a digital certificate to the 
mobile station. 

These and other features of this device and method will become more apparent from t he following 
description when taken in connection with the accompanying drawings which show, for puiposes of 
illustration only, examples m accordance with the present invention. 

BRIEF DESCRJPTION OF THF DRAWINGS 
The foregoing and a better understanding of the present invention will become apparent from flie 
following dctaaed description of exemplary embodiments and tfieclannsv**cn read in omneclionwi^ 
accwnpanying drawings, all fonning a part of the disclosure of this inventiwi. While the foregoin g and 
foflowing written and illustrated disclosure focuses on disclosing example embodnnents of the invention, it 
should be undcretood that the same is by way of ilhistration and example cmly and the invention is not 
limited thereto. The spirit and scope of the present invention arc limited only by the terais of the appended 

claims. 

The following represents brief descriptic»is of the drawings, herein: 

FIG. 1 is an example of an overall system diagram of an embodiment of the present invention; 

no. 2 is a diagram of the messages passed between a mobile station, a gateway, and a home 
location register (HLR) that contains oris connected to an authentication center (AUG) so that the buyer 
maybe authenticated and ultimately receive a certificate which may be used to purchase goods and 
services; 

FIG. 3 is a flowchart of the mobile stations certificate acquisition module shown in FIG. 12 as 
utilized in an emlKxliment of the present invention; 

FIG. 4 is diagram showing a Global Standard for a MobUe (GSM) communicat ions authentication 
algorithm used in the example embodiments of the present invention; 

FIG. 5 is a flowchart of the gateway certificate generation module shown in FIG. 1 2 as utilized m 
an embodiment of the present invention; 

FIG. 6 is a diagram of the me ssages that pass between the mobile station and the seller in order to 
fecilitate the purchase and payment of goods and services as utilized in an example embodiment of the 
present invention; 

FIG. 7 is a flowchart of a buyer purchase module shown in HG. 1 2 as utilized by an embodiment 
of the present-invention; 
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FIG. 8 is a flowchart of Oie seller sales module, shown in FIG. 1 2, as utilized by an embodiment of 
the present invention; 

FIG. 9 is a diagram of the messages passed between the seller and die gatewa y in order to facilitate 
payment to the seller for services and goods provided the buyer in an example embodiment of the present 
invention; 

FIG. 10 is a flowchart of the seller billing module, shown in FIG. 12, as utilized in an example 
embodiment of the present mvention; 

FIG. n is a flowchart of the gateway billing module, ^own in FIG. 12, as utilized in an example 
emtxKliment of the present invention; and 

FIG. 1 2 is a modular conflguiation diagram of the embodiments of the present inveDti<»i shown in 
FlGs.3-5,7, 8,10, and 11. 
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RFRT MODE FOR CARRY ING OUT THE TNVENTIQN 
Before beginning a detailed description of the inventicm, mention of the following is in order. 
When appropriate, like reference numerals and characters maybe used to designate identical , cwrcqxwding 
or similar compraents in differing figure drawings. Further, in the detailed description to follow, 
exemplary sizes/models/values/rangcs may be given, although the present invention is not limited to the 
same. 

FIG. 1 illustrates an example of an overall system diagram of an embodiment of the present 
invention. In this example embodiment a mobile station (MS) 20 acts as an interfece for the user, buyer or 
consumer 10 for access to the present invention. This mobile station (MS) 20 may be a WAP-capable 
celhjiar telephone, a Hypertext Markup Language (HTTVIL) capable cclhilar lelq)hone, or a cellular 
telq>hone with a processor-based system ccmnected to it. This processor-based system may be, but not 
limited to, a laplc^ computer, pahn cwnpul er, or other p<MlaWe computing devices including the WAP - 
capable telephone alone. The mobile statiwi (MS) 20 communicates through the telecom infiastiuctwe 30 
to a local network operatcM^ service 70 through a gateway 60. Telecom infrastructure 30 may be , but not 
limited to a cdlular telcphwie control protoarf. such as GSM (Global System forMobile Communications) 
teIq>hony system, and internet protocol (IP) over wireless local area networic (LAN) or any other suitable 
access protocol. The interface between the mobile station 10 and the seller 50 is to communications 
infrastructure 35 which may be, but not limited to, a direct physical connection, correct short range radio 
frequency (RF) connection, an IP connection, or any other suitable means of communi cation. In turn the 
seller 50 may communicate to the gateway 60 and thus the local networic operator service 70 .through, but 
not limited to. an internet protocol packet -switched network, a dial-up line over the public switched 
telephone networic, or any other suitable means of communications. Therefore, the embodiments of the 
present invcntiOT arc not limited to communicatjons using die Internet Further, the local netwodc operator 
service 70 may communicate to the buyer^s 10 home networic operator service ?0 directly tiirough the 
PSTN or via the Internet. In addition, the hwne netwoik operat<Mr service 80, the local netwwk operator 
service 70 and a gateway 60 are all ccmsidered part of the mobile telephone infiastnicture for billing and 
authentication 90 which serves to facilitate the purchase of goods and services. 

In FIG. 1 it should be noted that the assumption is made that user 10 is not within the home 
netwoik operator service 80 area. However, the embodiments of the present invention will operate when 
the user 1 0 is in the home network operator service 80 area and thus the home netwoik operates service SO 
and the local network operator service 70 may be one and the same entity. 

When the user or consumer 1 0 is not in his home netwoik operator service 8 0 area, the user 1 0 
may still make purchases from seller 50 if a roaming agreement exists between the local netwoik operator 
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service 70 and the home nctwoik operator service 80. Further, the seller 50 may be anyone selling a good 
or service torn a street Dower vendor lo a department or clothing store. The seller 50 may also be a seller 
of software or other digital products and may have a store firont or may have a wd) site on the hitemet 40. 
The only restriction on the seller 50 is that he be peimitted by the local netwoik operator service 70 to 
accept digital payment certificates from a buyer 1 0 and submit them to the local network operator service 
70 fw payment. Ifthe user orbuyer 10 is outside ofWs home networic operator service 80 area, the loca 1 
network operator service 70 will submit an accounting record of the transaction between buyer 1 0 and 
seller 50 to the usci=s 1 0 home network (^)erator service 80 for billing on the usei=s 1 0 telqphone bill. 

Still referring to FIG. 1 , using the present in vention it is possible for a buyer 1 0 to utilize mobile 
station 20 similarly to a credit card to pay for goods and services wherever the usei=s home network 
operatOT service 80 has established a roaming agreement with the local network operator service 70. As 
with the major credit cards, this could someday be worldwide if a universal cellular phone standard is 
established. As wiD be discussed ahead, the use of the present invention eliminates the possibility of 
double billing a buyer 10 for a product or service or submitting an incoirect price .for payment for a 
particular good or service. Further, since digital signatures cannot be fwgcd by any party that do not have 
access to the signing key, and since the signing key is never released outside the mobi le station 20, it wouW 
be inq>ossible for a third party eavesdropper, hacker, criminal, wrthe seUer to cither undetectably modify 
payment messages generated by a legitimate payer, or generate bogus payment messages pmportedly 
coming from a legitimate payer. In addition, the buyer or user 1 0 may utilize mobile station 20 wherever 
his home networic operator service 80 has established a roaming agreement and his mobile station 20 can 
inter&ce to the local network operator service 70. 

A discussion will now be supplied involving the logic eo^loyed in the embodiments of the present 
invention- Specifically, a discussion will be provided of the flowcharts and diagrams illustrated in FlGs. 2 
through 1 1 and the modular configuration diagram provided in FIG. 12. The flowcharts and diagrams 
shown in FlGs. 2 through 12, as well as the modular configuration diagram shown in FIG. 12 contain 
operations that corre^Mmd, for example, to code, sections of code, instructions, firmware, hardware, 
commands or the like, of a computer program that is embodied, for example, on a storage medium such as 
floppy disk, CD Rom. EP Rom, hard disk, etc. Further, the computer program can be written in any 
language such as, but not limited to, for example C++. 

Embodiments of the presen t invention use the GSM (Global System far Mobile Communications) 
telephony system that employs algorithms in the mobile staticm (MS) 20, such as, but not limited to, 
cellular phones and WAP-capablecelhilar phones, and the a mobile telephone inftastructure fw billing and 
authentication 90 which controls authentication of the user 10 and mobile station 20 to prevent 
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unauthorized access to the network and to provide encryption of the transmissions between users. The 
GSN! System is described in depth in the publication, "The GSM System for Mobile Communications" by 
MouJy and Pautet, C<^yright 1 992, which publication is incorporated herein by reference in its entirety. 
Security features of the GSM system are described in pages 477 through 498 of the MouJy and Pautet text. 
Further detail of the GSM system security is provided in ETSl publication TS 100 929 V.6.1.0 (1999) 
entitled ADigital cellular telecommunications system (Phase 2+); Security related netwoik functions® 
(GSM 03.20 versiOT 6.1 .0 Release 1997), which is incorporated herein by reference in its entirety. The 
usage of the GSM system in the present invention will be discussed in further detail in relation to the FIGs. 
2-12andinparticulartoFlG.4. However, it should be noted that any other GSM like system may be used 
that audienticates a mobile station 20 for access to a telec^nn infrastrocture-50. 

FIG. 2 is a diagram of tfie messages passed between a mobile station 20, a gateway 60, and a home 
locationregistcr(HLR) authentication center(AUC) located in the hcwne network operator service 80. In 
the following discussion, curly brackets { ) indicate a set of one or more items, and square brackets [ ] 
indicate an optional item. The messages 2 1 0 through 260 enable mobile static 20. and thus a buy er 1 0, to 
receive a digital certificate which enables the buyer 10 to purchase and pay for goods and services fiom 
seller 50. A total of four messages are exchanged between mobile station 20 and gateway 60, while two 
messages are exchanged between gateway 60 and HLR/AUC 1 00. These messages will be discussed in 
further detail in reference to FIGs. 3 and 5. However, to summarize, message 210 is transmitted from 
mobile station 20 to gateway 60 and contains a session identification (SID) and an intemationa 1 mobile 
subscriber identifier (IM SI). ThelMSI is a unique identification number supplied for each mobile station 
20 by die hcwne netwoik operator service 80 upon initial signing of a contract fcM^ service. The SID is a 
number assigned by the mobile station 20 and used to identify this particular session. The gateway 60 in 
turn stores the SID and IMSI in its local memoiy and transmits the IMSl in message 220 to the HLR/AUC 
1 00 contained within home network operate sendee 80. The gateway 60 is able to i dentify which HLR 
/AUG 100 it needs to transmit the IMSI to based cm infwmationccmtained within As will be 

discussed in fijrfeer detail in reference to FIG. 4, the HLR/AUC 100 responds with message 230 
containing a random number (RAND) 410, a s igned response (SRES) 450, and an encryption key (Kc) 
400. The gateway 60 takes the Kc 400 and uses it to compute an integrity key (K) based on the foimula K 
= f ({Kc}), where f is a cryptographic one -way hash function known both to the gateway 60 and to the 
mobile station 20. The gateway 60 would then store the SID, IMSI, RAND 440, SRES 450 and K in a 
single record in the gatewa>F=s 60 memory. Thereafter, message 240 is sent fi^om the gateway 60 to the 
mobile station 20 and contains RAND 440 and Ml. Ml is computed based upon a message authentication 
code (MAC) function using integrity key (K) And RAND 440. The fommila used is rq)resented as M 1 = 
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MAC (K, {RAND)). The pinpose of a MAC is to facilitate, without the use of any additional 
mechaDisms, assurances regarding both the source of a message and its integrity MACs have two 
functionally distinct parameteis, a message input ({RAND}) and a secret key (K), MAC functions are 
discussed in further detail in sections 9.5 Akeyed hash functions (MAC^)@ and 9.6 3 AData Integrity 
Using MAC Alone© of Handbook of Ap plied Cryptography by A. J, Menezes et al., CRC Press 1997, 
ISBN 0-8493-8523-7, which are incorporated herein by reference. Upon receipt of the RAND 440 and M 1 
variables, the mobile station 20 computes SRES 450 and Kc 400 based on RAND 440 and secret key (Ki) 
410, ICi410isa secret key instaUed by the home network operator service 80 in the mobile station 20 
upon signing up for a service plan. The mobile station 20 also computes the integrity key (K) using the 
formula K = fl[{Kc}). The computation of Kc 400 is discussed in further detail in reference to FIG. 4. 

Still referring to FIG. 2, mobile staticm 20 responds to the receipt of message 240 by the generating 
message 250 and transmitting message 25 0 to gateway 60. Message 250 inchides SRES 450, a public key 
(PK), any restrictions, an alias, and M2- The public key (PK), provided by niobfle station 20, is used to 
generate digital signatures for user 10 which act as approvals for charges made in dse p urchase of goods 
and services. Both the lestrktions and alias are opticHial items. Restrictions refer to limitations on 
transactions that may be placed. Fc»^ example, user or buyer 1 0 may be protected from a loss or theft of 
mobile station 20 by limiting the amount of any given purchase, the number purchases tiiat can be made 
within a particular time fiame, or the time period within which the public key is valid. The alias is an 
alternate identification for the coobile station 20. M2 is computed based upo n another MAC function 
utilizing the variables K, SRES 450, PK, restrictions, and the alias. The specific foraiula for computation 
ofM2isM2 = MAC(K, {SRES},PK, [{restrictions}], [alias]). Upon receipt ofmessage 250, the gateway 
60 generates a digital certificate (C) and stores in a record in memoiy the SID, IMSI, f (RAND, SRES, K), 
PK, restrictions, alias, and digital certificate (Q. Thereafter, the gateway 60 computes M3 which is based 
on formula M3 = MAC (K, Q. Then in noessage 260, the gateway 60 transmits the message 260 
containing the digital certificate (C) and M3 to the mobile station 20. The digital certificate (C) may then 
be used to purchase goods aixi services fiom seller 50. 

In an alternate embodiment of the messages shown in FIG. 2, i t is possible to enhance security of 
the present inventicm by encrypting the IMSI in message 2 1 0 using a public key supplied by the gateway 
60 or some odier server. In this manner it is less likely that the IMSI would be intercepted by a third party. 

In a still further alternate enibodinient of the messages shown in FIG. 2, it is possible to have the 
SID jointly selected by the mobile station 20 and the gateway 60. In this marmer, tracking of the certificate 
in message 260 and associating it to the SID may be simplified for the gateway 60. 
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In another alternate embodiment of the messages shown in FIG. 2, it is possible to drc^ the SRES 
450 in message 250 since it is already requiired to generate a correct M2. 

hi another embodiment of the messages shown in FIG . 2, it is possible for the HLR to compute the 
integrity key K and send it as part of message 230 to the gateway, hi this case, as an alternative 
embodiment, instead of the integrity key (K) conq)uted as a function of the set of encryption key (Kc) 400, 
it may be computed directly from the secret key (Ki) 4 1 0 and the randwn number (RAND) 440. 

hi another embodiment of the messages shown in FIG. 2, the public key (PK) may be a Img term 
public key stored in the authentication center (AUC). hi this case, PK i s included in message 230, and 
need not be included in message 250. 

In still another embodiment of the messages shown in FIG. 2, the public key (PK) of the local 
netwofk operator service 70 (denoted as PK_G) can be included in message 260. This aUows the mobile 
station 20 to verify certificates that were issued by Ae operatcMr to other entities such as sellers 50. It also 
allows the mobile station 20 to verily certificates that were issued to other mobile staticms 20, thereby 
aUowing &c first mobile station 20 to act as a seller. Therefore, a mobile station 20 may act in one 
instance as a buyer and in the next instance as a seller. This would be most suitable when the product 
being sold is a digital product However, any good or service may be sold t his way. 

A discussi<Mi will now be provided for FIGs. 3 through 5 detailing the exchange of messages as 
shown in FIG. 2. FIG. 3 is a flowchart of the mobile station certificate acquisition module 1 500 shown in 
FIG. 12. The mobile station certificate acquisition module 1500 is used to generate messages 210 and 250 
shown m FIG. 2. The mobile station certificate acquisiticMi module 1500 also receives and processes 
messages 240 and 260 from a gateway 60, as shown in FIG. 2. The mobile certificate acquisiti on module 
1 500 includes operations 300 through 430 shown in FIG. 3. 

Referring to FIG. 3, the mobile station certificate acquisition module 1500 begins execution in 
operation 300 and immediately proceeds to operation 3 1 0. In operation 3 1 0, a SID is genera led ^Aikh is a 
unique manber identiiying a session. In addition, the IMSI representing fee international mobile 
subscriber identifier is retrieved and along with tiie SID is transmitted to gateway 60 in message 210. 
Thereafter, in operation 320, the mobil e station 20 will wait for receipt of message 240 finom gateway 60. 
\Jpon arrival of message 240, processing will then proceed to operation 330. As previously discussed, 
message 240 contains a random number (RAND), and M 1 . M 1 was computed by the gateway 6 0 utihzing 
a integrity key (K) and a random number (RAND) received fi^om the HLR/ AUC 1 00. In operation 330, 
mobile station 20 computes Mr. Ml* is computed in the same manner by the mobile station 20 as Ml was 
computed by gateway 60 with the exceptiwi that encryption key (Kc) 400 is contained within the mobile 
station 20 itself and is used to compute integrity key (K). Utihzing the same fcnnnula used by the gateway 
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60, the mobile station 20 is able to compute Ml*. The fonnula utilized is Ml' = MAC (K, { RAND}). 
Therefore, in operation 340 a c(Hnpans(Mi is made between Ml received fipom gateway 60 and Ml' 
computed by the mobile station 20. This comparison is done in order to assure the mobile station 20, and 
thus user J 0, that the source of message 240 is a legitimate p(^i<»i of the GSM system. If Ml is not found 
to equal M T in operation 340, then processing proceeds to operation 350 execution of the mobile 
station certificate acquisibon module 1500 is abcHled and processing teminates. If operati on 350 is 
executed the assuraptiwi is that message 240 has been corrupted or that a gateway 60 is being 
inq>ersonated by an unauthorized individual. 

Still referring to FIG. 3, if M I = Ml then processing proceeds from operation 340 to operation 
360. Jn operation 360, M2 is computed. As previously discussed, M2 is confuted based upon a MAC 
function utilizing the variables K, SRES 450, PK, restrictions, and the aUas. The specific formula for 
computaticm of M2 is M2 = MAC (K, {SRES) , PK, [{restrictions}], [alias]). Thereafter, message 250 is 
generated containing SRES, PK, restricrions, alias, and M2 and is transmitted to gateway 60. In (operation 
380.the mobile station 20 waits for receipt of message 260 from gateway 60. Upon receipt of message 260 
frwn gateway 60 processing then proceeds to operation 390. In operation 390, M3' is computed as 
previously discussed above in reference to FIG. 2. M3' is computed in the same manner as M3 was 
conned by the gateway 60 based on fonnula M3 = MAC (K, C) with the excq>tion that enciyption key 
(Kc) 400 is contamcd within the mobile staticm 20 itself and is used to compute integrity key (K). 
Thereafter, processing proceeds to opmUon 400 where M3' is compared against M3 received in message 
260 from gateway 60. If it is determined in operation 400 that M3* does not match M3, then processing 
proceeds to operation 4 JO. In <^>eration 410, processing of the mobile station certificate acquisition 
module 1500 is teraiinated. When M3* does not match M3, it is assumed th at message 260 has been 
corrupted or that an unauthorized individual is impersonating a gateway 60. However, if M3' does match 
M3 in operation 400, then processing proceeds to operation 420. Lb operation 420, flie certificate lecdved 
in message 260 is stored in the memory of mobile station 20. This certificate may be used, within any 
associated restrictions, for the purchasing of goods and services from seller 50. Thereafter, processing for 
the mobile station certificate acquisiticm module 1500 terminates in operation 430. 

FIG. 4 further details authentication in a GSM network perfonned by the generation of a signed 
response (SRES) 450 by bodi the mobile station (MS) 20 and the home netwoik operator service 80 and 
gateway 60 which is a function of a imique secret key (Ki) 410 of the mobile station 10 and a rand(Mn 
number (RAND) 450 as used in the logic shown in FlGs. 3 and 5. The signed response (SRES) 450 is 
calculated in a subscriber identification module (SIM) (not shown) located in the mobile station (MS) 20, 
based on Ki 41 0 inside the SIM and RAND 440 obtained from the network authentication center (AUG) 
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(not shown) in the home network operator service 80. Additionally, the mobile station (MS) 20 and the 
authentication center in the home networfc operator service 80 each generate a ciphering key (Kc) 400 
which is a function of the same random number RAND 440 and the secret key (Ki) 410 of the mobile 
station 20. This authentication process is a two stage process v^ich employs two algorithms. The first 
algorithm, which calculates SRES 450, is known as the A3 algorithm module 420 and the second, key 
generation, algorithm which computes Kc 400. which is computed each time a mobile station 20 is 
authenticated, is known as the A8 algorithm module 430. However, each of the operations of 
authentication and computing of the ciphering key (Kc) 400 requires the mobile station (MS) 20 to be 
programmed to perform the afc»ementioned computaticHis. 

Still refening to FIG. 4, the mobile switching center (not shown) 1 ocated in the local netwoik 
operator senoce 70 auAenticates the mobile station 20 ^cnever a new mobile station (MS) 20 registers 
with the mobile telephone infrastructure for billing and authenticaticBi 90 and whenever a registered mobile 
station (MS) 20 hims on the power. Authenticaticm m a GSM system is based on a secret key (Ki) 3 J 0 that 
is shared by the home network operator service 80 and the subscriber and which is different for each 
subscriber. The home netwoiic operator service 30 keeps the key K i 4 1 0 in the AUG and flie subscriber has 
Ki 410 installed within SIM card of the mobile station 20, which he receives from the home networic 
operator service 80 when the subscription contract is made. To protect the secrecy of Ki 4 1 0, the SIM is 
made so that the mobile station (MS) 20 cannot directly access the value of Ki 410, and can only initiate 
certain computations in the SIM that use Ki 410 and then receive the results of those computations. 
Similarly, the elements of the noobile telq>hone infiastructu re fw billing and authentication 90, such as 
home locati<Mi register (HLR) cannot access subscribers' keys Ki 410 directly. These netwoik elements 
may only request frwn the AUG a lesuh of computations that use Ki 410 as discussed above. These 
computations are an A3 algorithm module 420 and an A8 algorithm module 430 and arc identical in the 
SIM of the mobile station (MS) 20 and in the AUG in die home network operator service 80. 

The foregoing mentioned GSM authentication process is a two stage process. In the first stage of 
GSM authenticay on, a local netwoik operator service 70 element, which is typically a MSC/VLR (Mobile 
services Switching GentcrA^isitor Location Register), receives an hatemational Mobile Subscriber 
Identifier (JM^l) from the mobile station (MS) 20 and requests from the AUG of the home networic 
operator service 80 one or more triplets. These triplets are composed of RAND 440, SRES 450, and Kc 
400. This process begins by the mobile station 20 sending an International Mobile Subscribe r Identifier 
(IMSI) to MSCA^LR in the local netwwk operator service 70. The MSCVVLR then requests authentication 
triplet(s) (RAND 440, SRES 450, and Kc 400) from the AUG in the home networic operator service 80. 
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The AUC, in the home netwoiic operator serv ice 80, computes one or more triplets (RAND 440, a SRES 
4S0» and a Xc 400) and sends them to the MSC/VLR in the local networic operator service 70. 

]n the second stage of GSM authentication, the MSCA^ of the local networic operatorservice 70 
authenticates the mobile station (MS) 20 by the MSC/VLR in the local netw(»rk operate service 70 
sending to mobile station 20 an authentication request (RAND) m which the message contains a RAND 
140. The MS 20 then sends to the SIM, contained within MS 20, a run GSM algorithm (RAND) request 
message which again contains RAND 440, In operation 260. MS 20 sends to the SIM a get response 
message. Thereafter, the SIM replies with a response having a SRES 450 and Kc 400. Then MS 20 stores 
Kc 400 in the SIM by sending to the SIM a write (Kc) request in which the message contains Kc 400. The 
MS 20 sends to MSC/VLR a Radio Interface Layer 3, Mobility Management (RIL 3 -MM) protocol 
authentication response in which the SRES 450 is contained in the message. After receiving t he message 
the MSC/VLR, in the local network operator sendee 70, compares SRES 450 that it has received from the 
AUC in the home network operator service 80, in stage one of GSM authentication discussed the SRES 
450 received from the MS 20. If the vahie s of the SRES 450 are detemiined not to be identical then 
authentication fails and service is not established However, if the values are identical then authentication 
succeeds and service is established for the M S 20. 

FIG. 5 is a flowchart of the gateway certificate generation module 1600, diown in FIG. 12, as 
utilized in an embodiment of the present invention. The gateway certificate generation nnodule 1600 is the 
counterpart of the mobile station certificate acquisition module 1 500 and serves to genera te a digital 
certificate required by buyer 10 in order to make purchases firom seller 50. The gateway certificate 
generation module 1 600 begins executicHi in operation 500 and immediately proceeds with operation 5 1 0. 
In operaticHi 510, the gateway 60 awaits trarismission of message 210 from mobile station 20. Upon 
receipt of message 2 J 0 from mobile station 20» the gateway 60 stores in local memory the SID and IMSI 
contained in message 2 1 0 and processing proceeds to operation 520. In operation 520, the gatew ay 60 
generates message 220 containing the received IMSl. Based on IMSI, the gateway 20 knows which 
HLR/AUC the mobile station 20 is associated with and can thereby transmit message 220 thereto. 
Thereafter, processing proceeds to operation 536 ^ere the gateway 60 waits for the receipt of message 
230 from the HLR/AUC 1 00. The HLR/AUC 100 upon receipt of message 220 will reply with one or 
more triplets. These tnplels contain RAND 440, SRES 450, and Kc 400. The gateway 60 will then 
proceed to compute M 1 in operation 540 as previously discussed. M 1 is computed based upon a message 
authentication code (MAC) function using integrity key (K) And RAND 440. The fonnula used is 
represented as MI = MAC (K, {RAND}). Integrity key (K) is computed based on Kc 40 0 received fi^m 
HLR/AUC 100 using the formula K = f ({Kc)). Processing them proceeds to operation 550 where 
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message 240 is generated and transmitted to mobile station 20. As previously discussed, message 240 
contains RAND 440 and M 1 . Thereafter, process ing proceeds to operation 560 where the gateway 60 
wails for message 250 frcmi mobile station 20. Upon receipt of message 220 processing proceeds to 
operation 570 where M2' is computed. M2' is computed based upon a MAC function utilizing the 
variables to K, SRES 450, PK, restrictions, and the alias. The specific formula for computation of M2* is 
M2* = N4AC(K, {SRES},PK, [{restrictions}], [alias]). Processing them proceeds to operation 580 vitoe 
a comparison is made between M2, received in message 250, and M2' conq)uted by gateway 60. If M2* 
and M2 do not match then processing proceeds to operation 590 where the execution of the gateway 
certificate generation module 1600 is aborted. However, ifM2' and M2 match then processing proceeds to 
operation 600. In operation 600, M3 is conq)uted by the gateway 60. The gateway 60 computes M3 
based on the foimula M3 = MAC (K, Q. In operation 6 1 0, message 260 containing the certificate and M3 
are transnritted to the md>ile station 20. Thereafter, processing te nninates for the gateway certificate 
generation module 1600 in operation 270. 

Upon tcnmnatiOT of the mobile station certificate acquisition module 1500 along with its 
counteipart, gateway certificate generation module 1600, the mobile station 20 has in it s possession a 
certificate ^ch buyer 10 may use to purchase goods and services from seller 50. FlGs. 6 through 8 
illustrate the processing involved by tfie embodiment of the present invention in order for buyer 10 to make 
purchase fnm seller 50. 

FIG. 6 is a diagram of the messages passed between the mobile station 20 and the seller 50 in order 
to facilitate the purchase and payment of goods and services as utilized in an example embodiment of the 
present invention. A total of two messages arc sent by t he mobile station 20 to seller 50. The messages 
sent j&om mobile station 20 to seller 50 inchide message 6 1 0 and message 630. Seller 50 in turn req>ond 
widi message 620 and message 640. Message 61 0 contains a certificate received fiom gateway 60 and a 
request for a particular product or service. Message 620 is an invoice transmitted from seller 50 to mobile 
station 20. This invoice serves to notify buyer 10 through mobile station 20 of the price of the item 
requested. The invoice contains a seller-specific unique transaction identifier, chosen by the seller 50, and 
the identity of the seller 50, as assigned by the gateway 60. Message 630 includes a digital signature which 
serves to authorize charging the price of the invoice against the certificate su pplied. Message 640 inchides 
the deliveiy of the product to the mobile station 20. In the foregoing discussion of messages 610 through 
640 it has been assumed that the product or service requested is in digital fomiat that could be downloaded 
to mobile station 20. However, as previously discussed the product or service an individual buyer 1 0 may 
request may be anything including such tangible items as flowers and clothing. In the case where the 
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product is a tangible item and buyer 1 0 and seller 50 face each other, then the request may take the fonn of 
an oral request and the delivery may take the form of handing over the flowers or other product. 

]n an alternate embodiment of the message configuration shown in FIG. 6, it is possible fcH* 
message 61 0 to contain the request only, and message 630 to contain both the signature and the certificate. 
In this manner the seller sales module 1 800, discussed in detail ahead, verifies the certificate and signature 
at the same time. 

In a further alternate embodiment of the message configuration shown in FIG. 6, it is possible to 
charge for use of a product, such as a software based game, by the time of usage and not for mere delivery 
of the product. One method for implementing this would be for several messages 620 to bo sent to the 
mobile staticMi 20 at periodic time intervals. Fcmt example, if buyer 10 requests a game and it is 
downloaded, an initial invoice would be sent, after which a new invoice will be sent every five nnnutes. 

FIG. 7 is a flowchart of a buyer purchase module 1700 shown in FIG. 12 as utilized by an 
embodiment of the present invention. The buyer purchase module 1700 includes operations 700 through 
770 shown in FIG. 7. When a buyer 10 initiates a purchase of an item finom seller 50, the buyer purcfaa se 
module 1 700 begins execution in operations 700 and immediately proceeds to operation 7 1 0. fai operation 
7 1 0 the mobile station 20 transmits message 61 0 to seller 50. The mode of transmission may be any form 
of digital communications. Thus, if the sell er 50 is a wc^ site, then noobile station 20 would access seller 
50 through the celhilar access network, via a gateway (such as a WAP gateway^ and then through the 
Internet. However, if a face-to-£ace transaction is occurring between buyer 10 and seller 5 0 then 
cc»ximunications between mobile station 20 and seller 50 may mclude any short range form of 
communicatioDS including cable, infiared, low -power radio frequency, or any other suitable means. 

Still referring to FIG. 7, in operation 720 mobile station 20 will wait for receipt of message 620 
from seller 50. Upon receipt of message 620 processing then proceeds to operation 730. In q)efation 730 
the buyer 1 0 checks the invoice price to detennine if it is valid. Li qperation 740, a determination is made 
whether invoice (I) is correct. If invoice (I) is not correct processing ]m>ceeds to operation 750 where 
processing of the buyer purchase module 1 700 is terminated. However, if die invoice (I) is correct then 
processing proceeds to operation 750. In operation 750, the buyer 10 digitally signs the mvoice unng a 
secret key (Ki) 410 and the signature is returned in message 630. Thereafter, processing proceeds to 
operation 760 v/hm mobile station 20 awaits delivery of message 640. In the case where the product 
being delivered by seller 50 is a digital product, operation 760 would be executed. However, where the 
prtxluct being delivered is a tangible product, such as a basket of flowers, operation 760 may singly be the 
handmg over that product to buyer 10 frwn seller 50. Thereafter, the buyer purchase module 1700 
teraoinates execution in operation 770. 
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FIG. 8 is a flowchart of Ibe seller sales mothile 1800, shown in FIG. 12, as utilized by an 
embodiment of Oie present invention. The seUer sales module 1 800 is counterpart to the buyerpuichase 
module 1700 and is utilized to check the validity of the digital certificate received from thebuyerpurcbase 
module 1700. 

Referring FIG. 8, the seller sales module 1 800 includes (q>erations 800 through operation 90 5. 
The seller sales module 800 begins execution in operation 800 and immediately proceeds tocperation 81 0. 
ki operation 81 0, the seller sales module 1 800 waits for receipt of message 610 containing the certificate 
and service request. Upon receipt of m essagc 6 1 0, processing proceeds to operation 820 where the validity 
of the certificate is verified and it is checked that any optional restrictions are not violated. Thereafter, in 
operation 830 the result of digital certificate verification is checked. This verification of the digital 
certificate is done online so that the seller 50 may detemiine whether the digital certificate provided by 
buyer lOisstiU valid. The situalionmay arise where a certificate is issued by gateway 60 and laterrevdced 
when the subscriber rqxHts a loss or ttieft of mobile station 20. 

Still referring to FIG. 8, If the certificate is not valid then processing proceeds to operation 845 
where the execution of the seller sales module 1 800 is terminated. However, if the ccrtifi cate is valid, ttien 
processing proceeds to <^>eratiOT 840. In operation 840, it is determined whether the requested service 
con5)lies wi A the opti(mal restrictions aj^lied. If the requested service does not comply with restrictions 
then again processing proceeds operation 845 where execution of the seller sales module ISOOtenninates. 
However, if the restrictions are violated, then processing proceeds to operation 850. In operation 850, the 
invoice (I) is sent in message 620 to mobDe station 20. In ope ration 860, the seller sales module 1 800 
waits for receipt of message 630. Upon receipt of message 630 containing signature (S), operation 870 
checks the signature (S). Thereafter, in operation 880, a determination is made if signature (S) is valid. If 
the signature is not valid the processing again proceeds to q)erati<m 845 where the seller sales module 
1800 is terminated. However, if the signature is valid, processing proceeds to operation 890 where the 
seller 50 creates an accounting record (AR) and stores it in the seller=s 50 local database. Thereafter, 
processing proceeds to operation 900 where the seller 50 proceeds to deliver the product or service desired. 
This may bedone&roughthetransmissicmofmessage640wberethepioductisadig^^^ product Finally, 
the seller sales module 1 800 terminates execution in oper^Uoji 905 . 

FIGs. 9 through 1 1 illustrate the process whereby the seller 50 is able to receive payment for 
products and services sold using the embodiment of the present invention. 

FIG. 9 is a diagram of the messages passed between the seller 50 and the gateway 60 in order to 
fecilitatc payment to the seller for services and goods provided to the buyer 1 0 in an example embodiment 
oftiie present invention. Only two messages are exch anged between seller 50 and gateway 60. Message 
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9 1 0 simply contains the cunent reccMrds accumulated by seller 50 within a finite period of time. However, 
as would be appreciated by one of ordinary ski)) in die art, eadi time an accounting record is gener ated it 
may be transmitted to gateway 60. Message 920 is a re^nse supplied by gateway 60 to seller 50 
indicating acceptance or rejecticm of the accounting records transmitted. 

FIG. )0 is a flowchart of the seller billing module 1900, shown in FIG. 12, as utilized in an 
example embodiment of tlie present invention. The seller billing module 9000 includes operations J 000 
through 1 1 60 shown in FIG. 1 0. The seDer biJling module 9000 begins execution in operaliwi 1 000 and 
immediately proceeds to <^)erati<xi 10)0. In operation 1010, variable i is set to 0. In operation 1020 a 
deteraiination is made if any records remain that have not been incorporated into message 910. If no 
records are left then processing proceeds to operation 1030 where the seller billing module 1900 terminates 
execution. However, if no accounting records remain to be processed dien piocessing proceeds to 
operaticHi 1040 or they are placed in message 9 10. Thereafter, m operatic 1050 i is incremented by 1. In 
operation 1 060, a determination is made if any records remain to be processed. If records remain to be 
processed then processing proceeds operation 1070. In (q[)eration 1070, it is determined whether the 
variable i is less than the variable n whidi r^resents the maximum number of a ccounti^g rccoids that may 
be put in message 9J0. If i is less dian n then processing loops back to operation 1040 for further 
processing. However, ifi is not less than n, then processing proceeds to operation 1080. In operation 1080 
message 910 containing the accounting records is sent to seller 50. Thereafter, processing proceeds to 
operation 1090 where seller 50 awaits return of message 920 ftom gateway 60. Upon receipt of message 
920 processing proceeds to operation 1110. In operation 1 1 10, the re^nses from gateway 60 are 
accepted. In opentjoa 1 1 20, it is determined whether the response received indicates con&mation and 
thus an approval of Ae accounting record and payment tiiereof. If the responses are not confirmed in 
operation 1 1 20, processing proceeds to operation 1 1 30 viheie the accounting record is added to the enor 
log. The enor log would then be examined at some later point in time to detenanine ttie proper course of 
action. However, if the response equals a confirmation, then proces sing proceeds to q)eratiQn 1 140 where 
the accounting iGcord is entered into a local internal log. Thereafter, in both die case of operation 1 130 
and 1 140, processing proceeds to any ui4>rocessed responses left in message 920. If there are any 
unprocessed refuses, tlicn processing loops back to operation 1 1 10. However, if all responses have been 
processed, then processing proceeds to operation 1 160 wliere execution of the seller billing module 1900 is 
teiminated. 

FIG. 1 1 is a flowchart of the gateway bill ing module 2000, shown in FIG. 1 2, as utilized in an 
ex ample embodiment of the present invention. The gateway billing module 2000 is utilized to credit seller 
50 with funds fcMrpurchases made by buyer 1 0 using mobile station 20. The gateway billing modul e 2000 
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also serves to verify the existence of a c(mesponding buyer=s record containing the digital certificate 
created by gateway certificate generation module 1600. Further, the gateway billing module 2000 also 
verifies the validity of the signature generated by the buyer purchase module 1 700. As will be discussed in 
further detail ahead, using the verification of the digital certificate and the signature it is possible to insure 
that the buyer 1 0 is paying the correct amount for the purchase and that I he buyer 1 0 is only being billed 
once. 

The gateway billing module 2000 inchjdes operations 1200 tiirough 1340 shown in FIG. 1 1 and 
begins execution in operation 1200. The gateway billmg module 2000 upon startup in operation 1200 
immediately proceeds to operation 1210. In operation 12 10, the gateway billing module 2000 waits for the 
transmission and anrival of message 910 fiom the seller billing module 1900. In operation 1220, the 
message 91 0 is received fit»n the seller 50 and processing proceeds to opera tion 1230. In operation 1230, 
an accounting record (AR) is extracted from message 910. Processing then proceeds to operation 1235 
where it is detennined whether this particular accounting record has previously been submitted. If the 
accoimting record has previously been submitted then processing proceeds to opevatioo 1 300 were an cnor 
response is generated. However, if this particular accountmg record has not been previously processed, 
then processing proceeds to operatiwi 1240. In operatic 1240, th e gateway 60 database is searched to 
find a cofTeq)onding record of the digital certificate for this sale. In operatiwi 1250 a determination is 
made whether a record has been found. If no record is found then processing proceeds to operation 1 300 
where an error response for this particular accounting recwd is stored for transmission in message 920 to 
seller 50. However, if a corresponding record is discovered then processing proceeds to operation 1260. 

Still referring to FIG. 1 1 , the gateway billing module 2000, executing on gateway 60, proceeds to 
perform the second check to detennine if the accounting record is correct In operation 1 260, the signature 
of buyer 10 is checked. Further, the associated restrictiCHis for the digital certificate are che eked to 
detennine if this accounting record violates any of these restrictions. In operation 1270, if eitiier signature 
cannot be verified or if any restricticms arc violated then processing proceeds to operation 1 300 where an 
error response for this parti cular accounting record is stored for transmission in message 920. However, if 
the signature is verified and the restrictions are not violated then processingprc)ceeds to operaticHi 1280. hi 
operation 1 280, a call detailed record (CDR) is stored in the ga teway 60 database so that at some lata* time 
the seller 50 may be paid for all purchases by buyer=s 1 0 for that period of time. Further, the call detailed 
report is also charged to the buyei=s 1 0 account for that period of time. In GSM network this is do ne by 
sending the CDR fi-om local operator to the home operator, the home operator then adds the transaction 
indicated in that CDR to buyers phone bill. Thereafter, in operation 1290, the response for this 
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accounting record is confirmed and stored as such for transmission in message 920 to fhe seller 50. 
Thereafter, processing proceeds from both operations 1290 and 1300 to operation 1310 v^ere either a 
ccMifirmed response or an enor rtsponse is placed in the message 920. In (^)eration 1 320, it is deternnn ed 
if other accounting records remain in message 910 and need to be processed. If accounting records remain 
unprocessed in message 910 then processing loops back to operation 1230. However, if all accounting 
records have been processed then processing proceeds to operation 1 330. In operation 1 330, message 920 
ccMitaining all re^x>nses to all the accounting records is transmitted to the seller 50 and processing for the 
gateway billing module terminates in operation 1340. 

It should be noted that the seller billing module 1900 and the gateway billing roodule 2000 
processed accounting records in a batch operation. However, as would be appreciated by (Hie of ordinary 
skill in the art, an accounting record may also be transmitted from the seller 50 to the gateway 60 as diey 
are generated in the seller sales nrKxtule 1 800. Such of an approach would increase the traffic between the 
seller 50 and gateway 60. 

FIG. 1 2 is a modular configuration diagram of the embodiments of thepiesent invention shown in 
FlGs. 5, 7, 8, 10, and 11. This modular configuration diagram illustrates the interconnection between 
modules in the present invention and the logical flow. It should be noted that die mobile station 20 
certificate acquisition nxxhile 1 500 is the only module that interf aces to the GSM authentication module 
1 400, the A3 algorithm module 430 and the A8 algorithm module 420, previously discussed in reference to 
FIG. 4. Using this embodiment of the present invention, the mobile station 20 need only be authenticated 
by the mobile telephone infirastructure for billing and authentication 90 upon startup and thus imposes a 
minimal burden upon the telecom mobile telephone infiastructure for billing and authentication 90. 

Still referring to FIG. 12, once the mobile station 20 is authenticated the mobDe static certificate 
acquisition module 1500 is able to obtain a digital certificate from the gateway 60 using the gateway 
certificate generation module 1600. With the certificate in the memory of mobile station 20 die buyer 
purchase module 1700 is able to make a purchase from a seller 50 in conjunction with the seller sales 
module 1800. The seller sales module 1800 generates an accounting record vHbich the seller billing 
module 1 900 is able to submit to the gateway 60. The gatewa y billing module 2000 in fhe gateway 60 will 
verify the accuracy of the accounting record and only charge the buyer 1 0 for the correct amount and only 
once for any purchase. . 

While we have' shown and described only a few examples herein, it is understood th at numerous 
changes and modifications as known to those skiUed in the art could be made to the present inventioiL For 
exan^le, rather than a single digital certificate being transmitted in message 260, several could be 
transmitted at one time. In this m anner each certificate may have its own restrictions and when a buyer or 
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user 10 goes to make a purchase ihe certificate that most closely meets the requirements of the pwchase 
may be transmitted to the seller 50. In addition, instead of transmitting mes sages containing M 1 , M2, and 
M3 as shown in FIG. 2 it is possible for aJ! messages to be authenticated using a 32 -bit integrity key (Ki) 
that is part of the third generation standard security mechanism as specified in section 6.5 AAccess Link 
Data Integrity® of 3G security document (3G TS 33.102 version 3.5.0release 1999)which we incorporate 
herein by reference. Therefore, we do not wish to be limited to the details shown and described berem, but 
intend to cover all such changes and modifications as are encompassed by the scope of the appended 
claims. 
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CLAIMS 

What is claimed is: 

1 . A method of ordering, paying for and delivering goods and services using a mobile station, 
coniprising: 

accessing a gateway by the mobile station and transmitting an identi ScaticHi code for mobile station 
to the gateway, 

verifying the identity of the nK>bile station by the gateway by accessing an authentication center 
and cOTnparing variables computed by the mobDe station and variables computed by the gateway; 

delivering a digital certificate to the mobile station by the gateway when the identity of the mobile 
station have been verified; and 

requesting a product or service £nom a seller and transmitting a digital signature, accompanied by 
ttie digital certificate for a signature verification key as payment to the 
seller. 

2. The method recited in claim I,whcrein the verifying the legitimacy of the gateway by the 
mobile station by comparing the variables computed by the gateway with the variables computed by the 
mobfle station, further comprises: 

transmitting firom the mobile stati(»i to the gateway a session identification and an international 
mobile subscriber identifier, 

transmitting the international mobile subscriber identifier firom the gateway to the authentication 

center, 

transmitting from the authentication center to the gateway a random number (RAND), a signed 
response (SRES), and an encryption key; 

conqiuting a variable M 1 by the gateway and transmitting the variable M 1 and the random number 
to the mobile station; 

computing a variable M 1* by the mobile station; and 

verifying the legitimacy of the gateway when the variable Ml equals the variable MI*. 

3. The method recited in claim 2, wherein the integrity key (K) is computed by both the mobile 
station and the authentication center as a function of RAND and Ki, where RAND is a random number 
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issued by the authentication center, and Ki is a secret key contained within the authentication center and 
the nx>bi]e station. 

4. The method recited in claim 3, where RAND the in tegrity key (K) is transmitted by the of 
indications center to the gateway. 

5. The method recited in claim 1 , further comprising: 

computing a digital certificate by the gateway certifying the mobile station's public key (PK); 
conqiuting a variable M3 by the gateway and transmitting the variable M3 and the digital 
certificate to the mobile station; 

computing a variable M3* by the mobile station; 

verifying the legitimacy of the gateway when the variable M3 equals the variable M3\ 

6. The method recited in claim 5, vAicmn the variables M3 and M3' are computed using the 
formula M3 = M3' = MAC (K, CX where MAC is a message authentication code amcticm, K is an integrity 
key and C is the digital certificate created by the gateway to certify PK. 

7. The method recited in claim 1 , wherein verifying the identity of the mobile staticHi by the 
gateway accessing an authentication center and comparing variables computed by the mobile station and 
variables computed by the gateway, further comprises: 

transmitting a signed response, a public key and a variable M2 computed by the mobile station to 
the gateway; 

ocnnputing a variable M2' by the gateway; 
comparing the variable M2 and the variable M2'; and 

verifying the identity of tiie mobile station when variable M2 is equal to variable M2'. 

8. The method recited in claim 7, wherein variables M2 and M2' are computed using the 
formula M2 = M2* = MAC (K, {SRES}, PK, [{restrictions}], [alias]), wherein MAC is a message 
authentication code function, SRES is a signed response, K is an integrity key, PK is a public key, 
restrictions are limits on the certificate and alias is an alternate identification for the mobile station. 
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9. The method recited in claim 1 , wherein requesting a product or service from a seller and 
transmitting the digital signature, accompanied by the digital certificate for the signature verification key as 
payment to the seller, further comfvises: 

transmitting the certificate with the request for the product or service; 
receiving an invoice frcmi the seller indicating a price for the product or service; 
computing a digital signature on the invoice; 
• approving the invoice by transmitting the digital signature to the seller; and 
accepting delivery of the product or service by the buyer. 

1 0. The method recited in claim 9. wherein the seller upon transmission of the digital signaUire, 
further c(Hnprises: 

veriiying the digital signature; 

verifying that restrictions associated with the digital certificate are not violated; and 
creating tiie an accounting record for the product or service sold. 

1 1. The medxod recited in claim 1 0, further comprising: 

transmitting from die seller to the gateway the accounting record having an invoice and digital 
signature of a customer of a home netwoik operator service; 

detennining by the gateway that a conespHmding record exists in a local database and the validity 
of the digital signature; 

detennining whether the invoice violates any restrictions contained in the corresponding record; 
crediting the seller with an amount equal to that in the invoice; and 
billing the buyer with the amount of the invoice. 

12. The method recited in claim 1 , fiirther con^rising: 

verifying the legitimacy of tiie gateway by the mobile station by comparing the variables comp uted 
by the gateway with the variables confuted by the mobile station. 

13. The method lecited in claim 1 1 , wherein delivering a digital certificate to the mobOe station 
by the gateway when the idaitity of the mobile station and the gateway have been verified, further 
contprisesi 

requesting a digital certificate by the mobile station from the gateway used to 
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order and pay for a product or service firom a seller 

14. A system for ordering, paying for and delivering goods and services using a mobile 
station, comprising: 

a GSM authentication module to verify that the mobile station is permitted to access a telecom 

infirastructure; * 

a mobile station certificate acquisition module to request a digital ceitificate for the mobile station 

from a gateway; and 

a gateway certificate generation nxxhile to verily that the mobile station is authorized to receive the 
digital certificate by transmitting an intemational mobile subscriber identifier received fixMn the mobile 
sUtion to an authentication center, calculate variables based on mformation received from the 
authentication center and cotDprn them to variables ccmiputed by the mobile staticm, and issue the digital 
certificate to the mobile station when the variables matdi. 

15. The system recited in claim 1 4, wherein the mobile station certificate acquisition module 
verifies that the gateway is authorized to issue the digital certificate through the use of comparing variables 
computed by the gateway and the mobile station. 

16. The system recited in claim 1 5, fiirther c omprising: 

a buyer purchase module to request the purchase of a good or service firom a seller, present the 
digital ceitificate to the sellar, receive an invoice and provide the seller with a digital signature approving 
the purchase of the good or service; 

a seller sales module to verify the validity of the digital certificate and the validity of the digital 
signature, issue an invoice, generate an accounting record and deliver a product or service; 

a seller billing module to transmit to flie gateway the accounting reccM^ and receive a response 
indicating if the accounting record has been approved for payment; and 

a gateway bOlmg module to verify the accounting record and an acconq)anying agnature, and issue 
a credit to the seller and debit to the buyer wh en the accounting record and the accompanying signature are 
verified. 

17. The system recited in claim 16, wherein the gateway certificate generation module 
transmits an intemational mobile subscriber identifier to the authentication center, receives a ra ndom 
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number, a signed response and an encryption key finom the authentication center, computes a variable M 1 , 
M2*, and M3 and verifies the vatidily of the mobile station by comparing variable M2 received fitmi the 
mobile station with variable M2'. 

18. The system recited in claim 14, wherein the mobile station further con^riscs: 

a subscriber identification module (SIM) used to compute a signed resp<Misc and a ciphering key 
based on a secret key, installed by a home network operator service in the subscr iber identificaticm module 
upon signing vp for a service plan, and a random number obtained from an authentication center in the 
home network operator service; 

an A3 algorithm module, contained in the SIM, is used to compute the signed response; and 
an A8 algorithm module, contained in the SIM, is used to confute the ciphering key, wherein 
through the transmission of signed refuses to and torn the mobile station a telecommunication 
infrastructure is able to verily that die mobDe staticm is authmzed to access the telecommunicatioa 
infirastrucfure and the gateway. 

19. A ccMnputer proffdsn embodied on a computer readable medium and executable by a 
ccmiputer for ordering, paying for and delivering goods and services usmg a mobile station, comprising: 

a- GSM autfaenticati<Mi code segment to verify that the mobile staticm is permitted to access a 
telecom infrastructure; 

a mobile station certificate acquisition code segment to request a digital certificate for the mobile 
station from a gateway; and 

a gateway certificate generation code segment to verify that the mobile station is authorized to 
receive the digital certificate by transmitting an intemati(Hial mobile subscriber identifier received from the 
mobile station to an autbenticati<»i center, calculate variables based on information received fitwn the 
authentication center and conq>are them to variables coixq>uted by the mobile station, and issue the digital 
certificate to the nx>bile station when the variables match. 

20. The system recited in claim 19, wherein the mobile station certificate acquisition code 
segment verifies that the gateway is authorized to issue the digital cotificate through the use of comparing 
variables con^ted by the gateway and the mobile station. 

21. The coo^uter program recited in claim 19, fiirther comprising: 
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a buyer purchase code segment to request (he purchase of a good or service from a seller, present 
the digital certificate to the seller, receive an invoice and provide the seller with a digital signature approval 
the purchase of the good or service; 

a seller sales code segment to verify the validity of the digital certificate and the validity of the 
digital signature, issue an invoice, generate an accounting record and deliver a product or service; 

a seller billing code segment to transmit to the gateway the accounting iec<»d and receive a 
response indicating if the accounting record has been approfved for payment; and 

a gateway billing code segment to verify the accounting record and an accompanying dgnature, 
and issue a credit to the seller and debit to the buyer when the accounting record and the accornpanying 
signature are verified. 

22- The computer program recited in claim 20, ^min the mobile station certificate 
acquisition code segment transmits a session identificati<Hi and an intemationa] mobile subsoiber identifier 
to the gateway, receives a random number and a variable Ml from the gateway and verifies that the 
gateway is authentic by computing and comparing the variable M 1 * with M 1 . 

23. The cwnputer program recited in clai m 1 9, herein the gateway certificate generation 
code segment transmits an international mobile subscriber identifier to the authentication center, receives a 
random number, a service response and an encryptioa key fiom the auflientication center, ccMnputes a 
variable Ml, M2', and M3 and verifies the validity of dae mobile station by comparing variable M2 
received from the mobile station with variable M2*. 
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